St. Vincent Medical Center, a part of Verity Health System, has discovered a web email account has been compromised as a result of a response to a phishing email.

The breach occurred on March 15, 2016 and involved the email account of a hospital pathologist. The account compromise was detected on March 26 and the account was secured within hours.

During the time that the unauthorized individual had access to the account, it was used to send phishing emails to internal and external email addresses. Those messages contained malicious attachments and hyperlinks. According to a substitute breach notice provided to the California Attorney General, no other employee accounts were breached as a result of misuse of the email account.

While the intention of the attacker appears to have been to obtain login credentials to other email accounts, during the time that the account was accessible, full access to emails, folders, and email attachments was possible. The investigation into the breach could not confirm whether any patient information in emails and email attachments had been accessed or copied by the attacker.

Upon discovery of the breach, unauthorized access to the account was terminated and all phishing emails sent from the account were removed from the email system. Employees discovered to have clicked on links in the emails also had their email accounts disabled and secured.

Verity Health System has experienced multiple phishing attacks in the past few months. This incident follows two attacks in late December 2018 and another attack in January. The January attack affected almost 15,000 patients.

Verity Health has now implemented further email security controls to block malicious emails along with multi-factor authentication. Individuals involved have been provided with counseling and re-education and a new security module has been deployed.

According to the HHS’ Office for Civil Rights breach portal, 662 patients were affected by the St. Vincent Medical Center breach.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.